CERT: Watching the Internet

Code Red didn't surprise Carnegie Mellon's Computer Emergency Response Team.
In fact, CERT was expecting
it. And, in part because of their efforts, one of the United States' most important
networksthe White House'sremained safe.

The fact is, CERT almost always knows about Internet-related attacks before
the general public does. It's the organization's job to know. CERT serves as
a sort of clearinghouse for security issues affecting the IT industry. "Our
goal is to better the practices of security and push them out to others to implement,"
explains Marty Lindner, CERT's team leader for incident handling. It does that
by analyzing potential threats, coordinating with vendors and other organizations
involved in security, and disseminating information through its Web site, e-mailers,
and other methods to thwart or minimize damage to the nation's IT infrastructure.

CERT, part of the Software Engineering Institute of Pittsburgh, Pennsylvania-based
Carnegie Mellon University, got its start in 1988 during the infancy of the
Internet, when the majority of traffic was college professors and soldiers.
Since then, it's grown to become one of the best-known security sites on the
Internet. It's a non-profit organization that receives the majority of its funding
by the U.S. Department of Defense.

CERT performs three key functions: vulnerability handling, incident handling,
and artifact analysis. The high-visibility area among those is incident handling,
i.e. the after-the-virus-has-hit cleanup, but the other two are just as important.

Vulnerability handling occurs at the earliest stages, when CERT learns about
potential security holes in a product. "The vast [majority of] work from
the vulnerability handling team goes unnoticed by the public, and that's a good
thing. It means we're finding vulnerabilities, talking to vendors and they're
building fixes into products before they're exploited," Lindner said.

CERT gets a lot of its information from the public. As of early August, it
had received more than 200,000 e-mails from people reporting problems. Based
on outside information and investigation from its own 25-member team, CERT determines
if there's a threat to the core Internet infrastructure, then notifies the appropriate
organizations or entities to stop attacks or minimize damage.

The other less-celebrated but equally critical mission is artifact analysis.
That involves reverse-engineering malware to "fingerprint" it and
see how it works. The next time a virus or worm is released, CERT can use that
information to see what the hackers are doing. Linder said that code is often
reused by the black hats in different exploits. "The guts of Code Red have
been seen in Nimda, Code Red 2 and bits and pieces in other malware over the
years," he added.

Most of that code is aimed at Windows systems. But that might begin to change
with Windows Server 2003, which Lindner thinks is a step forward in terms of
security. "Microsoft takes a lot of bashing, but they have the biggest
code base of almost anybody. It's safe to say there are clear indications that
Microsoft is working much, much harder to try to produce more secure software.
But they still miss things," Lindner said.

Overall, Lindner doesn't think the Internet is getting safer, even with organizations
like his fighting the good fight against the bad guys. His opinion was backed
up just days after the interview for this article, as first MSBlaster and then
SoBig.F knocked Tsunami-like through the Internet.

What will help? Better software development, he said. "The Internet will
get more secure as the quality of software improves. As we spend more time producing
better-quality software, the level of security on the Internet will increase."

He lists one vulnerability in particular that is at the top of his list of
vulnerabilities. "Buffer overflows is the biggie. If we eliminate buffer
overflows, we eliminate [most] exploits. When we eliminate exploits, we have
a more secure world."